Q: Do I still need to install the URLscan tool on my Microsoft IIS 7.0 Web server to filter malicious data from incoming HTTP requests?

A: No, in IIS 7.0 there is no need to install the URLscan tool. IIS 7.0 includes URLscan functionality out of the box. This service that is equivalent to the URLscan tool in IIS 7.0 and 6.0 is referred to as Request Filtering.

URLscan checks the URLs of all incoming web server requests. Attacks against web servers often consist of sending a URL to the server that contains a string that could be interpreted by the web server as an instruction to execute a malicious command. If a URL contains suspicious character combinations, strings, or verbs, or if it exceeds a certain length, URLscan automatically blocks the associated web request.

Although IIS 6.0 already provided built-in URLscan-like functionality, many administrators still added the URLscan tool to their IIS 6.0 web servers because URLscan supported additional features, such as the ability to remove server identity headers and support for a single unified text-based configuration file (urlscan.ini). IIS 7.0 includes these URLscan features out of the box, so it's no longer necessary to install URLscan.

IIS 7.0 Request Filtering supports the filtering of hidden namespaces, Request Filtering-specific error and status codes, and the definition of website- and URL-specific Request Filtering settings. Hidden namespaces define critical web server content that can't be requested in a URL, even if the content is present on the server. For example, IIS 7 defines the the Web.config configuration file and the \App_Data and \Bin folders as hidden namespaces by default. Request Filtering-specific error and status codes allow web administrators to quickly identify why IIS's Request Filtering logic rejects certain web requests. Finally, in IIS 7.0 administrators can define a different Request Filtering behavior for each individual URL and web site. In IIS 6.0, the settings defined for URLscan are applied to all incoming web server requests, independent of the target URL or site.

The following table compares URLscan and Request Filtering functionality and shows the Request Filtering-specific error and status codes IIS 7.0 logs when it rejects a request based on a Request Filtering rule.

Click to expand.

Unlike the other IIS 7.0 security features, you can't configure Request Filtering from the IIS Manager interface, you must configure it from the IIS 7.0 configuration files. To set Request Filtering rules for all websites hosted on your IIS 7.0 server, use the ApplicationHost.config file. To set website-specific Request Filtering rules, use the web.config file. The Microsoft article How to Use Request Filtering gives more details for configuring Request Filtering.